Facilitator Guide

Getting Started with Dynamic Threat Range

This guide outlines the streamlined workflow for setting up and managing a Dynamic Threat Range exercise. As a facilitator, your role is critical in ensuring the environment is configured to match your team's real-world requirements.

Step 1: Select Your Range and Focus

Begin by choosing the specific scenario you wish to exercise on and the objective of the session:

  - Incident Response: Alert-driven specialization focused on in-depth investigation and reconstruction of the complete attack lifecycle for surfaced threats.
  - Threat Hunting: Hypothesis-driven specialization focused on proactively detecting attacks that have gone undetected by automated systems.

Step 2: Choose Your SIEM

Select the defensive technology your team will use during the simulation.

  - Currently available: Elastic, Splunk, and Microsoft Sentinel.
  - Coming Soon: CrowdStrike NG SIEM (scheduled for later in 2026).

Step 3: Exercise Identity and Duration

  - Name Your Exercise: Provide a clear, professional title for the session.
  - Set Duration: Select the timeframe for the exercise. The default is 4 hours, but it can be set for any duration up to a maximum of 24 hours.

Step 4: Schedule the Exercise (optional)

Utilize the Scheduled Automated Deployment feature to select the exact date and time you want the environment to be ready. This eliminates "wait time" for provisioning during the live session.

If you choose not to schedule in advance, you will need to manually trigger two actions when ready: Provision exercise to deploy the range environments, then Start exercise to begin the timer and grant participant access once provisioning is complete.

Step 5: Add Participants

Organize your users into teams using the intuitive interface:

  - Eligibility: Any user within your organization with an Immersive account can be added.
  - Capacity: You can create up to 5 teams with a maximum of 15 participants per team.

 

Monitoring Team Environments and Performance
 

Once the exercise is running, the facilitator view provides two main tabs for monitoring environment health and tracking team progress throughout the session:

Range Tab
 

The Range tab provides a real-time visual representation of the exercise environment and attack execution for each team. It displays the scenario and attack details, team environments, and an interactive network diagram showing the infrastructure.

Attack Deployment: How attacks are initiated depends on your exercise specialization:
  - Incident Response exercises: Attacks launch automatically during provisioning and complete before participant access is granted.
  - Threat Hunting exercises: Use the Launch Attack action to manually initiate the attack across all team environments. This gives you control over when the attack begins after participants have joined their ranges.

Selecting a team displays their attack progress via the attack stages panel. When a team's attack is actively running, "Live Follow Mode" automatically tracks the currently executing attack step and highlights the attack path through the network diagram.
 

Teams Tab

The Teams tab focuses on monitoring team performance and activity throughout the exercise:

  - Activity Monitoring: Track team responses and task completion in real-time as participants submit their findings.
  - Team Composition: Review participant assignments for each team.
  - Submission Review: View detailed submission history and accuracy for each team's responses.

Note: Environment actions (such as retrying attacks) can be managed from the Range tab.

 

Post-Exercise Analysis: Reviewing Results
 

Once the Dynamic Threat Range exercise is concluded, the facilitator gains access to a comprehensive performance breakdown. This data is essential for identifying skill gaps and benchmarking team progress.

Metrics and Scoring

The metrics displayed depend on the exercise specialization:

For Threat Hunting exercises:
  - Time to Detect (TTD): The time elapsed between the start of the live attack and accurate evidence of detection being submitted.
  - Time to Escalate (TTE): The time elapsed between the start of the live attack and escalation of the incident. This metric relies on sufficient evidence of detection having been submitted.
  - Tasks Completed: The number of tasks with a correct final submission, displayed as a ratio (e.g., 8/10).
  - Accuracy: The percentage of correct submissions, calculated by dividing the number of tasks with correct final submissions by the total number of tasks.

  For Incident Response exercises:
  - Time to Investigate (TTI): The time elapsed between the team being able to join the exercise and conclusion of the investigation.
  - Tasks Completed: The number of tasks with a correct final submission, displayed as a ratio (e.g., 8/10).
  - Accuracy: The percentage of correct submissions, calculated by dividing the number of tasks with correct final submissions by the total number of tasks.

Detailed Submission Review

Beyond the high-level scores, facilitators can perform a deep dive into each team's activity:

  - Submission History: View a chronological log of every answer and piece of evidence submitted by each team.
  - Validation: See exactly which answers were Correct or Incorrect, providing the necessary clarity to lead an effective post-exercise debrief.